Robot Crack's Phone Code In Less Than 24 Hours

If they simply tried all the combinations, hackers would have to be mighty patient to crack a smartphone’s four-digit PIN code. After all, there are 10,000 possibilities. But a cheap, 3D-printed robot has shown it has all the patience in the world. In fact, it can crack a typical Android phone’s lock in less than 20 hours.

Security researchers Justin Engler and Paul Vines built the Robotic Reconfigurable Button Basher, affectionately known as R2B2, for about $200. They used $10 servomotors, an open-source Arduino microcontroller, a plastic stylus, a variety of 3D-printed plastic parts and a cheap webcam that detects when the correct passcode is used. Linked via USB, R2B2 can connect to a Mac or Windows PC that runs a code-cracking program.

Engler and Vines set R2B2 to guess five PIN numbers every 30 seconds, with a 5-second delay after every five guesses. At that rate, the robot could go through all 10,000 combinations in 19 hours and 24 minutes on an Android phone. The iPhone couldn’t be tested because it requires users to wait increasing lengths of time after each wrong guess, and can eventually lock out potential hackers for hours.

Engler and Vines are also working on another Star Wars-themed code-cracking bot. This one’s called the Capacitative Cartesian Coordinate Brute-force Overlay. Better known as C3B0, this droid utilizes electrodes on a phone’s touchscreen to simulate finger tapping.

But don’t worry, you won’t have to start hiding your phone from an army of code-cracking robots, the developers created R2B2 simply to see if it could be done. But Engler told Forbes that the bot does raise awareness about PIN code insecurity.

“When you see a robot working like this, you think, ‘maybe I should have a longer PIN,’” said Engler. “If I’m a CEO, a four digit PIN is a problem, because it’s worth 20 hours to break in and get my confidential emails.”

In fact, many phones do have an option for a six-digit PIN. By just adding those two extra digits, it would take R2B2 up to 80 days longer to crack the code, compared to a four-digit number.

Engler and Vines plan to release the free software and blueprints for the 3D-printable parts next month at DEF CON, a hacker conference in Las Vegas. They also plan to have C3B0 ready in time, so if you’re in Sin City the first weekend in August, stop by the Rio Hotel and Casino and see if they can hack your phone while you win your fortune at the slots.